Bug 104942

Summary: poppler 0.62.0: stack overflow in FoFiType1C::getOp in fofi/FoFiType1C.cc:2556
Product: poppler Reporter: junchao luan <luanjunchao>
Component: utilsAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: crash corpus

Description junchao luan 2018-02-05 07:03:38 UTC 
Created attachment 137167 [details]
crash corpus

I compiled latest poppler source code and when I test pdftops with a speific pdf corpus, it raised stack overflow.
Here is the detailed information:

root@9c9d96c10f13:/work# ./poppler_address/utils/pdftops crash_corpus 1
Syntax Error (112189): Illegal character ')'
Syntax Error (112195): Dictionary key must be a name object
Syntax Error (112203): Dictionary key must be a name object
Syntax Error: Unknown font type 'Op'
Syntax Error (112189): Illegal character ')'
Syntax Error (112195): Dictionary key must be a name object
Syntax Error (112203): Dictionary key must be a name object
Syntax Error (112189): Illegal character ')'
Syntax Error (112195): Dictionary key must be a name object
Syntax Error (112203): Dictionary key must be a name object
Syntax Error (112189): Illegal character ')'
Syntax Error (112195): Dictionary key must be a name object
Syntax Error (112203): Dictionary key must be a name object
Syntax Error (112189): Illegal character ')'
Syntax Error (112195): Dictionary key must be a name object
Syntax Error (112203): Dictionary key must be a name object
Syntax Error: Missing length fields in embedded font stream dictionary
ASAN:SIGSEGV
=================================================================
==100913==ERROR: AddressSanitizer: stack-overflow on address 0x7ffccfdd2f48 (pc 0x0000005f6f3e bp 0x7ffccfdd3080 sp 0x7ffccfdd2f30 T0)
    #0 0x5f6f3d in FoFiType1C::getOp(int, bool, bool*) /work/poppler_address/fofi/FoFiType1C.cc:2556
    #1 0x5e3288 in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex*, Type1CPrivateDict*, bool) /work/poppler_address/fofi/FoFiType1C.cc:1223
    #2 0x5e5b98 in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex*, Type1CPrivateDict*, bool) /work/poppler_address/fofi/FoFiType1C.cc:1365
    #3 0x5e5b98 in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex*, Type1CPrivateDict*, bool) /work/poppler_address/fofi/FoFiType1C.cc:1365
    #4 0x5e5b98 in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex*, Type1CPrivateDict*, bool) /work/poppler_address/fofi/FoFiType1C.cc:1365
    ......
    #249 0x5e5b98 in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex*, Type1CPrivateDict*, bool) /work/poppler_address/fofi/FoFiType1C.cc:1365
    #250 0x5e5b98 in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex*, Type1CPrivateDict*, bool) /work/poppler_address/fofi/FoFiType1C.cc:1365
    #251 0x5e5b98 in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex*, Type1CPrivateDict*, bool) /work/poppler_address/fofi/FoFiType1C.cc:1365

SUMMARY: AddressSanitizer: stack-overflow /work/poppler_address/fofi/FoFiType1C.cc:2556 FoFiType1C::getOp(int, bool, bool*)
==100913==ABORTING

The crash corpus is attached.
Comment 1 Albert Astals Cid 2018-02-05 19:12:02 UTC 
seems like a dupe of 103238

You never answered me in that bug. 

Do you plan to answer me here?
Comment 2 Albert Astals Cid 2018-05-01 00:48:25 UTC 
Fixed in master

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.